Police in China are investigating the apparent loss of 130 million customers' personal details from Huazhu Hotels Group. The data exposure may trace to a Huazhu production database for which access credentials were accidentally uploaded to GitHub, the web-based code sharing and development platform.

Publicly traded Huazhu, which is based in Shanghai and listed on NASDAQ, bills itself as being the world's 12th-largest hotel group. The company operates more than 3,000 hotels under 13 brand names - including Joya Hotel, Manxin Hotels & Resorts and Novotel - across more than 350 cities in China. Since 2014, Huazhu has also operated hotels under the French hotel group AccorHotel's brand names, including Mercure, Sobitel and Ibis. In May, Huazhu took a 4.5 percent stake in AccorHotel.

Police in Shanghai have confirmed that they're investigating.

"Those who commit illegal acts including theft, trading and exchange of residents' personal data will be heavily punished," the Shanghai police say in a statement. "We are resolute in protecting people's interest and ensuring information security."

Huazhu on Thursday told Information Security Media Group that it's continuing to assist police with their investigation.

The company on Tuesday issued a statement saying that in the wake of reports that its customer data was for sale online, it "immediately implemented an internal audit to guarantee the safety of our guests' information," as well as "called the police without any delay" and also brought in third-party digital forensic investigation experts "to verify whether the 'relevant personal information' being sold online" had come from the hotel management group.

Huazhu also issued a reminder that selling or disseminating the stolen data online could violate criminal offenses, and said all "network users and platforms involved [should] immediately delete and stop disseminating the information."

For Sale: Hotel Customers' Data

Awareness of the data breach came after a "darknet" - reachable only by using the anonymizing Tor browser - Chinese-language cybercrime forum vendor began advertising the credentials for sale, saying they'd been obtained from a Huazhu database on Aug. 14.

Stolen Huazhu customer data was advertised on a Chinese-language darknet site

The seller set the price for the entire tranche of stolen data at 8 bitcoins, currently worth about $55,500.

Hotel records: 240 million records pertaining to customers' name, room number, mobile phone number, check-in and departure times and records of what they consumed, totaling 66 GB of data.

Security experts have said that Huazhu's development team appears to have accidentally uploaded access credentials for the production database to GitHub, around Aug. 8.

In the wake of those reports, Shanghai-based IT angel investor Yin Ran told South China Morning Post that data breaches are becoming more rampant and posing an increasing risk to Chinese businesses and consumers. "Strangers would approach us for trading of personal data owned by our portfolio firms," Yin said. "The potential risks are huge and such illegal behavior must be eradicated to pave the way for further development of digitalized businesses."

Data Breaches in China

Like the rest of the world, China hasn't been immune to the increasing pace and severity of data breaches, as well as intensifying fears that the buying and selling of people's personal information has been eroding their privacy.

In April, Deng Yufeng, a 32-year-old artist based in Beijing, highlighted the problem by launching an exhibit titled "346,000 Wuhan Citizens' Secrets." Wuhan is the capital of China's Hubei province, from which the artist hails.

Deng's exhibit featured the Wuhan residents' personal details, hung on a wall, partially redacted and only visible using a special light.

Deng said he was able to acquire the information online, including names, genders, ages, home addresses, phone numbers, license plate numbers, as well as travel and shopping records, for about $800. The artist said he amassed the information over a six-month period via Taobao, an e-commerce platform.

Police shut down the exhibit just two days after it opened and warned Deng that they were investigating him for breaking the law.

Risk of GitHub Data Exposure

Meanwhile, if the Huazhu breach traces to its developers having inadvertently uploaded credentials to GitHub, the hotel chain wouldn't be the first organization to have done so.

Ride-sharing service Uber last November disclosed that around October 2016, an outsider had accessed 57 million accounts of its riders and drivers worldwide, stored in a backup file on Amazon's S3 storage service. Uber's developers had uploaded credentials for the Amazon S3 bucket to a private GitHub site they used (see Pennsylvania Sues Uber Over Late Breach Notification).

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.